Cyber Insights - Part 1 - with Mark Kendrew, Interim CISO and Security Leader
We’re delighted to have Mark join us for our first Cyber Insights feature where he discusses how, with the current focus on security governance, CISOs (Chief Information Security Officers) should be the Board’s trusted advisor; promoting, understanding and enabling security through agile change.
Security risks are increasingly on the Board’s agenda, but are they being well managed?
Security, data privacy and cyber resilience can have strategic impacts on a business in ways that may extend beyond its boundaries to affect customers, shareholders and third parties. The adverse impact of an incident can lead to service disruption; financial penalties; a loss of trust, reputation or share price; legal or regulatory non-compliance; or a combination of all of these. However, when done well, security can help a business to achieve its goals with better service quality and innovation; and more efficient and cost-effective operations. Therefore, security presents strategic business risks and opportunities that should be managed at Board level.
Boards are becoming increasingly aware of the need to manage security, privacy and resilience to achieve their strategic objectives – more so if they must comply with the evolving legislation and regulation associated with high risk industry sectors. Boards recognise they must maintain the trust, confidence and support of their shareholders, customers and staff, particularly when incidents occur. Thus, they often include security on their list of strategic risks, discussing them at Board meetings and in their annual reports. However, such actions do not necessarily mean that Boards will be successful in managing their security risks or detecting and responding to security incidents.
So how can CISOs help their Boards to tackle their security challenges and use their security capabilities to create strategic value?
In summary, the CISO should communicate directly with the Board members and become their trusted advisor, building effective relationships across the business to create a collaborative and viable security culture. The CISO should help the Board to articulate its security threats and vulnerabilities in business terms; define a set of security capabilities informed by legislation and best practice; and build the required security capabilities using an agile approach, shaped by risk priorities, management information and intelligence.
Who should the Board consult to learn more about how they should manage security?
The CISO should communicate directly with the Board and become its trusted security advisor. Traditionally, information security, data privacy and resilience were managed at low level by disparate IT and other functional teams. Today, less than half of businesses have a CISO who reports directly to the Board. Thus, Boards are often not given reliable security briefings that are up to date, robust and comprehensive. A lack of direct access to a CISO can also mean that security advice is delivered by Directors who may not understand security and may have conflicting business, financial and technology priorities. Boards with a trusted CISO, who directly reports to them, are more likely to receive complete and timely security briefings that they can rely upon. Such Boards will be able to make more informed decisions that result in more effective security risk and incident management.
Who should the Board involve in creating an appropriate and sustainable security culture?
The CISO should help the Board build a collaborative culture where security is everybody’s business. Security depends on how people behave, the IT systems and processes they use and the controls that provide management oversight. Thus, security is the responsibility of the whole organisation because it arises from effective collaboration between business, technology and security staff. A suitably empowered CISO can provide clear leadership, working with business teams to understand the security threats and define strategic plans to enable the business to function with acceptable levels of risk. Also, the CISO can engage technology teams to develop security through the procurement and delivery of IT-enabled business change and security controls. Lastly, the CISO should work with other corporate functions to help the business prepare for, detect and respond to security incidents.
Why should the Board be concerned about security when it has other strategic risks to manage?
The CISO should help the Board understand their threats and describe security risks in business terms. Whilst generic knowledge of security risks may be increasing across the business community, many businesses do not know what assets they have that are of value to attackers. This, coupled with their lack of knowledge of how attackers operate, means businesses do not have a sound understanding of the motive, means and possible opportunities for being attacked; or the likely impact of those attacks. Consequently, businesses are unaware of the level of risk they are exposed to; and whether this is acceptable to their stakeholders and shareholders. A CISO can improve Board awareness of typical security threats; help the Board to understand its specific vulnerabilities; and describe the likely risk impacts in terms that are meaningful to the Board and comparable with their other risks.
Which of the many standards and security frameworks should the Board adopt?
The CISO should define a viable set of security capabilities derived from multiple best practice sources. There are many sources of advice available to Boards that are intended to help them manage their security risks. These include international and national standards, best practice frameworks, Government guidance and advice from security consultants. More recently legislation and industry regulations have been enhanced to drive the creation of minimum standards across businesses. CISOs of more mature businesses recognise the need to use a combination of sources of advice to define a set of aspirational security capabilities appropriate for their business. The CISO can then work with business, technology and third party stakeholders to assess their existing capabilities.
What action should the Board take to reduce security risks whilst still achieving its business goals?
The CISO should gain Board approval for a funded security strategy linked to business priorities. Whilst most organisations claim to have a strategy to improve their security capabilities, its quality and reliability may not withstand scrutiny. A lack of knowledge of the valuable business assets and associated security risks means that the strategic priorities are unlikely to be consistent with the true business risks. Furthermore, most security strategies are neither aligned to the strategic business objectives nor supported by a realistic and dedicated budget for its implementation. The CISO should work with the Board to develop an appropriate and affordable strategy that is consistent with the Board’s risk appetite. The strategy should balance the long-term goals with the immediate needs to establish minimum incident detection and response capabilities; and mitigate high-priority risks.
How should the Board track the progress being made to reduce its exposure to security risks?
The CISO should deliver the strategy, through agile plans informed by intelligence, risk and learning. Experience shows that strategic plans are not realised unless there is appropriate Board oversight, underpinned by complete and timely management reporting. At the same time, technology and the vulnerabilities used to enable attacks change rapidly. Therefore, security capabilities must be continually developed using a dynamic and flexible delivery approach. It is better to deliver short-term improvements quickly, fine-tuning them later, than wait to deliver a better solution tomorrow. The CISO should work with the Board to routinely monitor implementation versus plan. The plans should be modified in response to changes in the business landscape; threat intelligence and risk assessments; and the lessons learned from breach detection and incident investigations.
A huge thank you to Mark for sharing his knowledge and insights in our first Cyber Insights feature.
If you’d like to feature in our Cyber Insights series you can contact the team at firstname.lastname@example.org.
Next week we will be speaking to Marilise De Villiers who will be sharing her insights!
About the Author
Mark is an interim CISO/security leader who enables organisations to realise challenging strategic goals whilst ensuring acceptable levels of security, privacy and resilience. Mark specialises in engaging Boards, bringing together business, technology and security teams to understand their strategic security risks; design affordable plans to mitigate them; and implement collaborative IT-enabled mitigation. He works for FTSE100 firms, SMEs and Government Departments at local, national and global levels, delivering £multi-million benefits and £billion reductions in risk. Outside work, Mark is a Special Constabulary Chief Officer leading a team of 280+ volunteer police officers.
If you’d like to know more about Mark’s experience, you can find him on LinkedIn here: